Senate Armed Services Committee Aims For Better Cybersecurity
Congress has not forgotten all the trouble caused last year when a China-based actor known as Storm 0558 broke into the State and Commerce Departments, among other places, exploiting a Microsoft vulnerability.
Provisions in the upcoming 2025 defense bill take a jab at Microsoft. One opens the door for the Pentagon to buy alternatives to Microsoft’s cyber security services. Another could require any defense contractor doing business in China (such as Microsoft) to “inform the Pentagon if they are ever compelled by Chinese law to disclose new cybersecurity vulnerabilities to Beijing,” as reported by John Sakellariadis at Politico.
Two factors appear to be at work. First, many in Congress do not seem convinced that Microsoft has solved all the culture issues raised in the detailed April report from the Cyber Safety Review Board, which cited a disappointing security culture at Microsoft.
Second, the Pentagon is debating adding an upgraded Microsoft security product to all its unclassified networks and that “monoculture” is worrisome.
“What consideration was given to the fact our near peer adversaries seemingly need to breach just one company to potentially compromise DoD assets and data?” asked Senators Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.) in a May 29, 2024 letter to Pentagon Chief Information Officer John Sherman.
Sherman said last month his team had “very candid conversations” with Microsoft about the Chinese breach and stressed good housekeeping and cyber hygiene.
Whatever happens with these SASC amendments, the Pentagon’s cyber choices will be scrutinized from Capitol Hill.
Google, Microsoft, Oracle and Amazon are all competing on task orders for cloud services for DoD, so there are plenty of choices.
Find Archived Articles: